Azure Firewall Introduction

Home / Azure / Networking / Security / Azure Firewall

What is Azure Firewall?

Azure Firewall is a cloud-native and intelligent network security service that protects your Azure Virtual Network resources. It's a managed, cloud-based network security service that protects your Azure Virtual Network resources. It offers:

High Availability and Unrestricted Cloud Scalability: Built-in high availability and automatic scaling to meet your security needs.
Centrally Governed and Logged: Create, enforce, and log application and network connectivity policies across subscriptions and virtual networks.
Threat Intelligence-Based Filtering: Protects against known exploits by using threat intelligence feeds from Microsoft.

Key Features and Benefits

Azure Firewall provides a range of features designed to enhance your network security posture:

Network Rule Support: Filter traffic to and from Azure resources based on IP address, port, and protocol.
Application Rule Support: Filter fully qualified domain names (FQDNs) and web application categories.
Network Address Translation (NAT) Rule Support: Translate destination IP addresses and ports to your internal resources.
Azure Firewall Premium: Offers advanced threat protection features like TLS inspection, Intrusion Detection and Prevention System (IDPS), and advanced URL filtering.
Centralized Management: Manage firewall policies across your entire Azure environment from a single pane of glass.
Monitoring and Logging: Integrate with Azure Monitor and Log Analytics for comprehensive visibility into traffic and security events.

Azure Firewall acts as a Security Hub, allowing you to manage security policies centrally and gain insights into your network traffic.

How Azure Firewall Works

Azure Firewall is deployed as a managed service within your Azure Virtual Network. It intercepts traffic between subnets, virtual networks, and the internet. You can configure network and application rules to allow or deny traffic based on your security requirements.

When you deploy an Azure Firewall, it's associated with a virtual network. You then route traffic from your subnets through the firewall using user-defined routes (UDRs).

Deployment Options

Azure Firewall can be deployed in several ways:

Hub-Spoke Architecture: A common deployment pattern where Azure Firewall resides in a hub virtual network and secures traffic to and from spoke virtual networks.
Standalone Deployment: Deployed in its own virtual network to protect resources within that network.
VNet Peering: Can be used to connect spoke networks to a hub network containing the firewall.

Consider using Azure Firewall Manager for centralized management and policy orchestration across multiple Azure Firewall instances.

Use Cases

Azure Firewall is ideal for various scenarios, including:

Securing Virtual Machines (VMs): Protecting VMs in Azure from unauthorized access and malicious threats.
Controlling Internet Egress Traffic: Limiting which external destinations your internal resources can connect to.
Centralizing Network Security: Providing a consistent security posture across your Azure deployments.
Compliance Requirements: Meeting regulatory compliance needs by enforcing granular access controls.

Getting Started with Azure Firewall

You can deploy and configure Azure Firewall using the Azure portal, Azure CLI, Azure PowerShell, or ARM templates.

To begin, you'll typically need to:

Create a dedicated subnet for Azure Firewall (e.g., AzureFirewallSubnet).
Deploy an Azure Firewall instance into this subnet.
Configure network and application rules to define traffic flow.
Create user-defined routes (UDRs) to direct traffic through the firewall.

For detailed instructions and advanced configurations, please refer to the official Azure Firewall documentation.